Method and device for performing substitution table operations

ABSTRACT

The disclosure concerns implementing, by a cryptographic circuit, a set of substitution operations of a cryptographic process involving a plurality of substitution tables. For each set of substitution operations of the cryptographic process, a series of sets of substitution operations are performed. One set of the series is a real set of substitution operations corresponding to the set of substitution operations of the cryptographic process. One or more other sets are dummy sets of substitution operations, each dummy set being based on a different permutation of said substitution tables.

BACKGROUND Technical Field

The present disclosure relates to the field of electronic circuits, andin particular to a device and method for accessing substitution tablesduring a cryptographic operation.

Description of the Related Art

Substitution tables, also known as S-boxes, define a data substitutionoperation performed during cryptographic algorithms or processes. Thepurpose of this data substitution is to obscure the relationship betweenthe secret key and the cipher-text, and thus render it harder for thesecret key to be discovered.

One technique used by hackers wishing to recover the secret keyprocessed by a cryptographic device is to monitor signals on sidechannels in order to extract certain information relating, for example,to the power consumption or the timing in the device during theexecution of a cryptographic algorithm or process. The manipulation ofthe secret key during substitution operations is often targeted byhackers using side channel methods due to the relative visibility ofsubstitution operations.

Some solutions have been proposed providing a limited degree ofprotection against the use of side channel methods.

BRIEF SUMMARY

In an embodiment, a method comprises: executing, using a cryptographiccircuit, a set of substitution operations of a cryptographic processinvolving a plurality of substitution tables, the executing including:performing, for each set of substitution operations of the cryptographicprocess, a series of sets of substitution operations of which: one setof the series is a real set of substitution operations corresponding tothe set of substitution operations of the cryptographic process; and oneor more other sets of the series are dummy sets of substitutionoperations, each dummy set being based on a different permutation ofsaid substitution tables. In an embodiment, a position of the real setof substitution operations in each series is selected randomly based ona first random value. In an embodiment, performing each series of setsof substitution operations comprises: loading N input values, where N isan integer equal to or greater than two; and supplying, on consecutivesets of S-box access operations, each of said N input values to arespective one of N S-boxes, wherein during the real set of substitutionoperations each of the N input values is supplied to a corresponding oneof said N S-boxes based on said cryptographic process, and during thedummy sets of substitution operations each of the N input values issupplied to a different S-box than its corresponding S-box, and whereinthe position that the real set of substitution operations is performedwith respect to the dummy sets of substitution operations is selectedbased on the first random value. In an embodiment, each set ofsubstitution operations comprises addressing memory locations of one ormore memories based on S-box input data values and reading values atsaid memory locations to provide S-box output data values. In anembodiment, the method comprises, for each series of sets ofsubstitution operations, storing the S-box output values of eachsubstitution operation, and selecting the output values corresponding tosaid real set of substitution operations based on said first randomvalue. In an embodiment, performing each set of substitution operationsin said series comprises using a same input message and secret key. Inan embodiment, each series of sets of substitution operations comprisesm−1 dummy sets of substitution operations, where m is an integer fixedat a value equal to or greater than 2 or selected randomly; and for agiven key, a same group of m−1 permutations are applied during thecorresponding m−1 dummy substitution operations. In an embodiment, eachgroup of m−1 permutations for a given key is selected based on a secondrandom value. In an embodiment, a number of dummy sets of substitutionoperations performed in each series is selected randomly.

In an embodiment, a non-transitory computer-readable medium stores acomputer program which, when executed by a processing device, implementsa method, the method comprising: executing a set of substitutionoperations of a cryptographic process involving a plurality ofsubstitution tables, the executing including: performing, for each setof substitution operations of the cryptographic process, a series ofsets of substitution operations of which: one set of the series is areal set of substitution operations corresponding to the set ofsubstitution operations of the cryptographic process; and one or moreother sets of the series are dummy sets of substitution operations, eachdummy set being based on a different permutation of said substitutiontables. In an embodiment, a position of the real set of substitutionoperations in each series is selected randomly based on a first randomvalue. In an embodiment, performing each series of sets of substitutionoperations comprises: loading N input values, where N is an integerequal to or greater than two; and supplying, on consecutive sets ofS-box access operations, each of said N input values to a respective oneof N S-boxes, wherein during the real set of substitution operationseach of the N input values is supplied to a corresponding one of said NS-boxes based on said cryptographic process, and during the dummy setsof substitution operations each of the N input values is supplied to adifferent S-box than its corresponding S-box, and wherein the positionthat the real set of substitution operations is performed with respectto the dummy sets of substitution operations is selected based on thefirst random value. In an embodiment, each series of sets ofsubstitution operations comprises m−1 dummy sets of substitutionoperations, where m is an integer fixed at a value equal to or greaterthan 2 or selected randomly; and for a given key, a same group of m−1permutations are applied during the corresponding m−1 dummy substitutionoperations. In an embodiment, each group of m−1 permutations for a givenkey is selected based on a second random value. In an embodiment, anumber of dummy sets of substitution operations performed in each seriesis selected randomly.

In an embodiment, a cryptographic device comprises: a memory circuit,which, in operation, stores a plurality of substitution tables toimplement sets of substitution operations of a cryptographic process;and one or more circuits, which, in operation, execute the cryptographicprocess, the executing the cryptographic process including, for each setof substitution operations of the cryptographic process, performing aseries of sets of substitution operations using said substitutiontables, each series of sets of substitution operations comprising: areal set of substitution operations corresponding to the set ofsubstitution operations of the cryptographic process; and one or moredummy sets of substitution operations, wherein the one or more circuitsapply a different permutation of said substitution tables during each ofsaid dummy sets of substitution operations. In an embodiment, the devicecomprises a random number generator, which, in operation, generates, foreach of said series of sets of substitution operations, a first randomvalue, wherein the one or more circuits randomly select a position ofthe real set of substitution operations among the one or more dummy setsof substitution operations based on the first random value. In anembodiment, the random number generator, in operation, generates asecond random value, wherein the one or more circuits randomly selectthe permutations of said substitution tables based on the second randomvalue. In an embodiment, the cryptographic device comprises: an inputregister configured to store N input values; and one or moremultiplexers configured to select, for each set of substitutionoperations of each series, the input value among said N input values tobe provided to each substitution table. In an embodiment, thecryptographic device comprises a selection circuit configured togenerate a selection signal for controlling the one or multiplexersbased on said first and second random values. In an embodiment, the oneor more circuits comprise one or more processing devices under controlof instructions stored in an instruction memory to load N input valuesinto a memory, where N is equal to the number of substitution tables,and to select, for each set of substitution operations of each series,either to implement the real set of substitution operations by providingeach input value to a corresponding one of said substitution tablesbased on said cryptographic process, or to implement a dummy set ofsubstitution operations by providing each input value to one of saidsubstitution tables other than the corresponding one.

In an embodiment, a system comprises: one or more processing cores; andcryptographic circuitry coupled to the one or more processing cores,wherein the cryptographic circuitry, in operation, protects execution ofa cryptographic process which uses a plurality of substitution tables,the protecting including: performing, for each set of substitutionoperations of the cryptographic process, a series of sets ofsubstitution operations of which: one set of the series is a real set ofsubstitution operations corresponding to the set of substitutionoperations of the cryptographic process; and one or more other sets ofthe series are dummy sets of substitution operations, each dummy setbeing based on a different permutation of said substitution tables. Inan embodiment, a position of the real set of substitution operations ineach series is selected randomly based on a first random value. In anembodiment, the cryptographic process is related to a function of theone or more processing cores.

In an embodiment, there is provided a method of implementing, by acryptographic circuit, a set of substitution operations of acryptographic algorithm involving a plurality of substitution tables,the method comprising: performing, for each set of substitutionoperations of the cryptographic algorithm, a series of sets ofsubstitution operations of which: one set is a real set of substitutionoperations corresponding to the set of substitution operations of thecryptographic algorithm; and one or more other sets are dummy sets ofsubstitution operations, each dummy set being based on a differentpermutation of said substitution tables.

According to one embodiment, the position of the real set ofsubstitution operations in each series is selected randomly based on afirst random value.

According to one embodiment, performing each series of sets ofsubstitution operations comprises: loading N input values, where N is aninteger equal to or greater than two; and supplying, on consecutive setsof S-box access operations, each of said N input values to a respectiveone of N S-boxes, during the real set of substitution operations each ofthe N input values being supplied to a corresponding one of the NS-boxes based on the cryptographic algorithm, and during the dummy setsof substitution operations each of the N input values being supplied toa different S-box than its corresponding S-box, and the position thatthe real set of substitution operations is performed with respect to thedummy sets of substitution operations being selected based on the firstrandom value.

According to one embodiment, each set of substitution operationscomprises addressing memory locations of one or more memories based onS-box input data values and reading values at the memory locations toprovide S-box output data values.

According to one embodiment, the method comprises, for each series ofsets of substitution operations, storing the S-box output values of eachsubstitution operation, and selecting the output values corresponding tothe real set of substitution operations based on the first random value.

According to one embodiment, performing each set of substitutionoperations in the series comprises executing the cryptographic algorithmbased on a same input message and secret key.

According to one embodiment, each series of sets of substitutionoperations comprises m−1 dummy sets of substitution operations, where mis an integer fixed at a value equal to or greater than 2 or selectedrandomly; and for a given key, a same group of m−1 permutations areapplied during the corresponding m−1 dummy substitution operations.

According to one embodiment, each group of m−1 permutations for a givenkey is selected based on a second random value.

According to one embodiment, the number of dummy sets of substitutionoperations performed in each series is selected randomly.

According to a further aspect, there is provided a non-transitorystorage medium storing a computer program configured, when executed by aprocessing device, to implement the above method.

In an embodiment, there is provided a cryptographic circuit comprising:a memory circuit storing a plurality of substitution tables forimplementing sets of substitution operations of a cryptographicalgorithm; and one or more circuits configured to perform, for each setof substitution operations of the cryptographic algorithm, a series ofsets of substitution operations using said substitution tables, eachseries of sets of substitution operations comprising: a real set ofsubstitution operations corresponding to the set of substitutionoperations of the cryptographic algorithm; and one or more dummy sets ofsubstitution operations, the one or more circuits being configured toapply a different permutation of the substitution tables during each ofthe dummy sets of substitution operations.

According to one embodiment, the cryptographic device further comprisinga random number generator configured to generate, for each of the seriesof sets of substitution operations, a first random value, the one ormore circuits being configured to randomly select the position of thereal set of substitution operations among the one or more dummy sets ofsubstitution operations based on the first random value.

According to one embodiment, the random number generator is furtherconfigured to generate a second random value, the one or more circuitsbeing configured to randomly select the permutations of the substitutiontables based on the second random value.

According to one embodiment, the cryptographic device further comprises:an input register configured to store N input values; and one or moremultiplexers configured to select, for each set of substitutionoperations of each series, the input value among the N input values tobe provided to each substitution table.

According to one embodiment, the cryptographic device further comprisesa selection circuit configured to generate a selection signal forcontrolling the one or more multiplexers based on the first and secondrandom values.

According to one embodiment, the one or more circuits comprise one ormore processing devices under control of instructions stored in aninstruction memory to load N input values into a memory, where N isequal to the number of substitution tables, and to select, for each setof substitution operations of each series, either to implement the realset of substitution operations by providing each input value to acorresponding one of said substitution tables based on the cryptographicalgorithm, or to implement a dummy set of substitution operations byproviding each input value to one of the substitution tables other thanthe corresponding one.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other features and advantages will become apparentfrom the following detailed description of embodiments, given by way ofillustration and not limitation with reference to the accompanyingdrawings, in which:

FIG. 1 schematically illustrates a circuit for executing a cryptographicalgorithm involving substitution operations according to an exampleembodiment;

FIG. 2 schematically illustrates an S-box according to an exampleembodiment;

FIG. 3A schematically illustrates a substitution circuit according to anexample embodiment of the present disclosure;

FIG. 3B schematically illustrates a permutation circuit of thesubstitution circuit of FIG. 3A in more detail according to an exampleembodiment of the present disclosure;

FIG. 4 schematically illustrates a circuit for executing a series ofcryptographic operations according to an example embodiment of thepresent disclosure;

FIG. 5 is a timing diagram illustrating examples of signals in thecircuit of FIG. 4 according to an example embodiment;

FIG. 6A schematically illustrates a circuit for executing a series ofcryptographic operations according to a further example embodiment ofthe present disclosure;

FIG. 6B schematically illustrates a substitution circuit of FIG. 6A inmore detail according to an example embodiment of the presentdisclosure;

FIG. 7 is a timing diagram illustrating an example of signals in thecircuit of FIG. 6B;

FIG. 8 schematically illustrates a processing system for performing setsof S-box access operations according to an example embodiment of thepresent disclosure;

FIG. 9 is a flow diagram representing operations in a method ofperforming sets of S-box access operations according to an exampleembodiment of the present disclosure; and

FIG. 10 schematically illustrates a cryptographic device according to anexample embodiment of the present disclosure.

DETAILED DESCRIPTION

Throughout the present disclosure, the term “connected” is used todesignate a direct electrical connection between circuit elements,whereas the term “coupled” is used to designate an electrical connectionbetween circuit elements that may be direct, or may be via one or moreintermediate elements such as multiplexers, buffers, etc.

Furthermore, throughout the present disclosure, the following terms willbe considered to have the following definitions:

-   -   “cryptographic algorithm or process”—any series of operations        performed by a device that involves the manipulation of a secret        value, such as a secret key, which is to be hidden from the        world outside the device. Examples of cryptographic algorithms        include algorithms for encrypting or decrypting        plaintext/cipher-text based on a secret key, for generating a        message authentication code (MAC) or other form of digital        signature based on a secret algorithm and/or key, or any other        type of secretive operation;    -   “substitution operation” or “S-box access”—an operation of a        cryptographic algorithm in which an output data value is        generated based on an input data value using a substitution        table, e.g., an S-box. The input and output values may have the        same, or a different, number of bits. This operation is for        example performed using a lookup table (LUT) stored in a memory,        and the values defined in the lookup table may be fixed, or        could be updated dynamically;    -   “set of substitution operations” or “set of S-box accesses”—a        plurality of substitution operations performed using a plurality        of substitution tables defined by a cryptographic algorithm. As        will be described in more detail below, each set may correspond        to a single access to each S-box, or to multiple accesses to        each S-box. For example, a set of substitution operations may        correspond to a single access to each of the eight S-boxes S1 to        S8 during the execution of each substitution operation of a        round of the DES algorithm. Alternatively, a set of substitution        operations may correspond to all of the substitution operations        performed during the execution of the DES algorithm, which        involves multiple rounds;    -   “real set substitution operations”—a set of substitution        operations defined by the cryptographic algorithm that is being        executed, which is for example a useful operation in that the        results of the set of substitutions will contribute towards the        calculation of the useful output data of the cryptographic        algorithm; and    -   “dummy set of substitution operations”—a fake or false set of        substitution operations performed in a similar manner to a real        set of substitution operations, but which is superfluous as it        is performed in addition to the real set of substitution        operations defined by the cryptographic algorithm. While the        results of each dummy set of substitution operations may be        stored to memory, they are not useful in that the results serves        no purpose in relation with the cryptographic algorithm and can        be discarded. As described herein, the sets of dummy        substitution operations are for example performed based on        permutated input data provided to a plurality of substitution        tables.

FIG. 1 schematically illustrates a cryptographic circuit 100 accordingto an example embodiment. The circuit 100 for example receives as inputsa message (MESSAGE) to be processed and a secret key (KEY). For example,the message corresponds to plaintext to be encrypted by the circuit 100using the secret key, to cipher-text to be decrypted by the circuit 100using the secret key, or to data that is to be signed by the circuit 100by generating a digital signature, such as a MAC (message authenticationcode) based on the key.

The circuit 100 comprises a series of hardware modules implementing thecryptographic algorithm involving various operations 102, 104, 106applied to the message and key in order to generate an output message(MESSAGE′) corresponding to cipher-text, plaintext and/or a digitalsignature. In the example of FIG. 1, the operation 104 corresponds to asubstitution operation (SUBSTITUTION) involving a plurality ofsubstitution tables.

FIG. 2 schematically illustrates an example of an S-box used during theDES (data encryption standard) algorithm. As known to those skilled inthe art, the DES encryption algorithm involves 8 S-boxes S1 to S8, eachof which is unique. FIG. 2 illustrates the DES S-box S1.

An S-box access according to the DES encryption algorithm involvesinputting 6 input bits (INPUT) b5 to b0, and outputting 4 output bits(OUTPUT) b3 to b0. The S-box S1 is in the form of a lookup table having16 columns and 4 rows. The bits b5 and b0 of the input value are forexample used to select a row of the table, and the bits b4 to b1 of theinput value are for example used to select a column of the table. The4-bit value stored in the selected row and column forms the output valueof the S-box.

Of course FIG. 2 illustrates only one example of an S-box, and theprinciples described in the present disclosure could be applied to anytype of S-box in which input data is substituted in order to generateoutput data based on a table of stored values.

FIG. 3A schematically illustrates a substitution circuit 300 forimplementing sets of S-box access operations according to an exampleembodiment of the present disclosure. The circuit 300 for example formspart of the circuit 100 of FIG. 1.

The circuit 300 for example comprises N S-boxes (S-BOXES) 301, which forexample correspond to the eight S-boxes of the DES encryption standard.Alternatively, the N S-boxes could correspond to those used in anotherencryption standard such as in the TDES (triple DES) encryptionstandard.

Each of the N S-boxes receives a respective input data value S1_IN toSN_IN, and provides a respective output data value S1_OUT to SN_OUT. TheS-boxes 301 are for example implemented by one or more non-volatilememories, the respective input data values S1_IN to SN_IN providingaddress inputs to the one or more memories, and the output data valuesS1_OUT to SN_OUT corresponding to the data values stored at theaddressed memory locations.

The circuit 300 further comprises an input register (INPUT REG) 302 andan S-box permutation circuit (S-BOX PERM) 304. The input register 302for example receiving N input values INPUTS corresponding to the inputsof a set of substitution operations to be performed in relation with acryptographic algorithm by the N S-boxes 301. For example, the N inputvalues INPUTS are the result of an operation performed on the messagedata and the key data of FIG. 1. The register 302 for example providesthe N input values IN1 to INN to the S-box permutation circuit 304.

The S-box permutation circuit 304 for example selects the input value tobe provided to each of the S-boxes during a given set of substitutionoperations. For example, the permutation circuit 304 receives a controlsignals CTRL from a random number generator (RNG) 306 for controllingthe selection. The generator 306 is for example a pseudo-random numbergenerator or a true random number generator.

In operation, each real set of S-box access operations defined by thecryptographic algorithm is implemented by a series of m sets of S-boxaccess operations, where m is for example an integer equal to two ormore. Only one of the m sets of S-box access operations corresponds tothe real set of substitution operations of the cryptographic algorithm.The other m−1 sets of access operations of each series correspond tosets of fake or dummy substitution operations involving differentpermutations of the S-boxes by the circuit 304. For example, each dummyset of substitution operations for a given series of sets ofsubstitution operations is based on a different permutation from theothers.

FIG. 3B schematically illustrates the S-box permutation circuit 304 ofFIG. 3A in more detail according to an example embodiment. The circuit304 for example comprises N multiplexers MP1 to MPN, one associated witheach of the N S-boxes. Each of the multiplexers MP1 to MPN receives eachof the input values IN1 to INN from the input register 302. Thus anyinput value can be provided to any S-box. Of course, in the case thatonly a limited number of permutations are available for selection, eachmultiplexer MP1 to MPN does not need to receive each input signal IN1 toINN.

The permutation circuit 304 also for example comprises a permutationselection circuit (PERM SEL) 310, which generates a selection signal SELfor controlling the multiplexers MP1 to MPN based on the value of thecontrol signal CTRL provided by the random number generator 306. Thepermutation selection circuit 310 for example receives a clock signalCLK indicating the period of each set of S-box access operations suchthat the selection signal SEL can be updated at the appropriate time.

According to one embodiment that will now be described with reference toFIGS. 4 and 5, each set of substitution operations corresponds to all ofthe substitution operations performed during the execution of acryptographic algorithm based on a given message and key.

FIG. 4 illustrates the cryptographic circuit 100 of FIG. 1 in moredetail for a series of m sets of substitution operations eachcorresponding to an execution of the DES algorithm based on a givenmessage (MESSAGE) and key (KEY). The cryptographic circuit 100 forexample comprises a circuit 400 (F FUNCTION) for executing a roundfunction, each round for example comprising an expansion operation (EXP)performed by a circuit 402, an XOR operation (XOR) performed by acircuit 404 to introduce a round key, the substitution operationperformed by the substitution circuit 300, and a permutation operation(P-BOX) performed by a circuit 406. The message resulting from eachexecution of the DES algorithm is provided to an output register (OPREG) 408, along with the control signal CTRL.

The cryptographic circuit 100 is illustrated multiple times in FIG. 4 torepresent the substitution operation performed during each of the seriesof m executions of the DES algorithm. One of these executions shown onthe left in FIG. 4 is based on no permutation of the S-boxes (S-BOXESP=ID), whereas the other executions are respectively based onpermutations P1 to P(m−1). The order of the real and fake DES executionsis selected randomly for each series of executions based on the randomlygenerated control signal CTRL.

FIG. 5 is a timing diagram representing an example of the signalsMESSAGE and KEY at the input of the circuit 100 of FIG. 4, of theoperations performed by the circuit 100, and of the output message(MESSAGE′) generated during each execution.

A first series SA1 of DES executions is based on a message M1 and on akey k1 and a second series SA2 of DES executions is based on a messageM2 and on a key k2. In the example of FIG. 4, the number m of DESexecutions in each series is fixed at four, although in alternativeembodiments m could be any integer equal to 2 or more. The series SA1for example comprises three fake DES executions F(P1), F(P2) and F(P3)respectively based on permutations P1, P2 and P3 of the S-boxes, and areal DES execution R1. The series SA2 for example comprises three fakeDES executions F(P4), F(P5) and F(P6) respectively based on permutationsP4, P5 and P6 of the S-boxes, and a real DES execution R2. The positionof the real DES execution among the fake executions is randomly selectedfor each series of m executions, and is the third position in the seriesSA1 and the second position in the series SA2 in the example of FIG. 5.

In some embodiments, the group of permutations in each series of sets ofaccess operations is fixed for a given secret key, and only the positionof the real set of access operations varies between the series. Eachtime the key changes, a new group of permutations is for exampleselected.

The message MESSAGE′ resulting from each execution of the cryptographicalgorithm is for example output following the termination of eachexecution of the cryptographic algorithm, and these messages are forexample labelled M(P1) to M(P6) in the case of the fake executions F(P1)to F(P6), and M(R1) and M(R2) in the case of the real executions R1 andR2. During each series of executions, all of the messages are forexample stored to the output register 408, and the control signal CTRLis for example used to select only the real messages from the outputregister 408 to provide the result of the cryptographic algorithm.

FIG. 6A illustrates the cryptographic circuit 100 of FIG. 1 in moredetail for a series of m sets of substitution operations eachcorresponding to a single substitution operation accessing a pluralityof substitution tables. The example of FIG. 6A is again based on the DESalgorithm, and involves the same circuit 400 of FIG. 4. However, in thecase of FIG. 6A, each time the substitution circuit 104 is called toapply a set of substitution operations within a given execution of theround function, a series of m sets of substitution operations isperformed.

The substitution circuit 300 is illustrated multiple times in FIG. 6A torepresent the set of substitution operations performed during each ofthe series of m set of substitution operations. One of these sets ofsubstitution operations is shown on the left in FIG. 6A is based on nopermutation of the S-boxes (S-BOXES P=ID), whereas the other sets ofsubstitution operations are respectively based on permutations P1 toP(m−1). The order of the real and fake sets of substitution operationsis selected randomly for each series of substitution operations based onthe randomly generated control signal CTRL.

FIG. 6B illustrates the substitution circuit 300 in more detailaccording to an example embodiment. The circuit 300 of FIG. 6B is forexample similar to that of FIG. 3A, and like features are labelled withlike reference numerals and will not be described again in detail. Theexample of FIG. 6A is based on the eight S-boxes S1 to S8 of the DESstandard. The S-box permutation circuit 304 for example generates a busybit (BB) to indicate to a host system the periods during which theS-boxes are occupied. Furthermore, in the example of FIG. 6B, theoutputs of the S-boxes are provided to an output register (OUTPUT REG)602, which also for example receives the control signal CTRL from thegenerator 306.

In operation, during each set of substitution operations to be performedusing the S-boxes S1 to S8, the input data values IN1 to IN8 are loadedinto the input register 302, and the selection of the input value to beprovided to each S-box during each of the m sets of S-box accessoperations of the series is based on the value of the control signalCTRL.

For example, in some embodiments, the control signal CTRL comprisesrandom values PERM, RAC and NFC.

The value RAC for example comprises an r-bit value indicating theposition of the real sets of substitution operations among the m−1 dummysets of substitution operations. For example, 2^(r) is equal to m. Inone example, m is equal to 4, and r is equal to 2, where a value RAC of“00” indicates the first of the four sets of substitution operations,and a value of RAC of “11” indicates the fourth of the four sets ofsubstitution operations.

The permutations are for example selected randomly based on the randomvalue PERM provided by the generator 306. In some embodiments, thepermutations are selected randomly for each of the m−1 dummy sets ofaccess operations in each series. In alternative embodiments, for agiven key value k, the particular permutations applied during each ofthe m−1 sets of dummy access operations are fixed until the key ischanged.

The number of possible permutations of the eight S-boxes S1 to S8 in theexample of FIG. 6B is equal to 8-factorial, also expressed as 8!, whichis equal 40320. Furthermore, each of the m−1 sets of dummy substitutionoperations of a given series of sets of substitution operations uses adifferent permutation. Therefore, for a given series of sets ofsubstitution operations, the S-box permutation circuit 304 for exampleselects both the permutations to be applied, and the order that thepermutations are to be applied.

In some embodiments, the permutation circuit 304 is capable of applyinga limited group of permutations in a limited number of different ordersfor the m−1 sets of dummy substitution operations, and the value of PERMis used to randomly select both the permutations and the order of thepermutations. An example of the permutation selection based on a 3-bitvalue of PERM, on a value of m equal to 4, and based on eight availablepermutations P1 to P8, is provided in the following table for the m−1sets of dummy substitution operations:

Value of PERM Selected permutations and order “000” P1, P2, P3 “001” P4,P5, P6, “010” P7, P8, P2 “011” P4, P6, P8 “100” P3, P6, P1 “101” P5, P7,P2 “110” P8, P5, P1 “111” P7, P4, P6

Furthermore, the value of RAC is used to select the position of the realset of substitution operations with respect to the m−1 dummy sets ofsubstitution operations. Thus, if PERM is equal to “000” and RAC isequal to “11”, the m sets of substitutions are for example performed asfollows based on the tables above: P1, P2, P3, RA, where RA correspondsto the real set of S-box access operations.

The value NFC for example indicates the number m−1 of dummy sets ofsubstitution operations in each series. In some embodiments, this valuemay be fixed for a given key, while in other embodiments, this value israndomly generated for each series of sets of substitution operations.

For example, in one embodiment, the value NFC is a 2-bit value, and thevalue RAC is a 3-bit value. The number m−1 of dummy S-box accesses ineach series of S-box accesses is for example equal to:m−1=2^(NFC)−1

Thus, with the value of NFC being equal to 0, 1, 2 or 3, the number m−1of dummy S-box accesses can for example be 0, 1, 3 or 7. Furthermore,the value RAC is for example used to determine the position of the realaccess by performing a logic AND operation between the 3-bit binaryvalue RAC and a 3-bit binary value FN representing the number m−1.

By randomly generating the value of NFC for each series of S-boxaccesses, the processing time for each real S-box access will bevariable. Thus, as the duration of each S-box access is no longerpredictable, the busy bit BB for example indicates to the hostprocessing system the time periods during which the S-boxes 301 isoccupied.

The output register 602 for example stores each of the output valuesS1_OUT to S8_OUT from the S-boxes S1 to S8 during each of the sets ofsubstitution operations of each series. Furthermore, the circuit 602 forexample selects the real set of output values to form the output valuesOUTPUTS based on the value RAC.

Operation of the circuit of FIG. 6B will now be described in more detailwith reference to FIG. 7.

FIG. 7 is a timing diagram representing examples of the value NFC, thevalue RAC, the S-box access operations OP, and the output valuesOUTPUTS, during a series of sets of accesses SA1 and SA2 using thecircuit of FIG. 6B.

During the series of sets of accesses SA1, the values of NFC and RAC arerandomly generated to equal 2 and 5 respectively. Thus, based on theabove equation, the number m−1 of dummy sets of S-box operations in theseries SA1 is equal to 3. The total number of sets of S-box accesses inany series is equal to m, and the result of the operation NF*RAC is forexample a 3-bit value that may assume a value between 0 and NF, where 0represents the first access of the series, and NF represents the lastaccess of the series. Thus, in the example of the series of accessesSA1, the position of the real access operation is equal to a logic ANDapplied bit by bit to the values “011” and “101”, which gives “001”,corresponding to the second access of the series. Thus, in the exampleof the series of accesses SA1, the position of the real set of accessoperations is second, and the series SA1 of m sets of access operationscomprises, in sequence: a dummy set of access operations using a randompermutation P1; a real set of access operations R1; a dummy set ofaccess operations using a random permutation P2; and a dummy set ofaccess operations using a random permutation P3. After the last set ofaccess operations, the output values OUTPUTS become equal to the resultof the real set of access operations RA1.

During the series of accesses SA2, the values of NFC and RAC arerandomly generated to equal 1 and 4 respectively. Thus the number m−1 ofdummy sets of S-box operations in the series SA2 is equal to 1, and theposition of the real access operation in the series SA2 is equal to alogic AND applied bit by bit to the values “001” and “100”, which gives“000”, corresponding to the first access of the series. Thus, in theexample of the series of sets of accesses SA2, the m sets of accessoperations comprise, in sequence: a real set of access operations R2;and a dummy set of access operations using a random permutation P4.After the last set of access operations, the output values OUTPUTSbecomes equal to the result of the real set of access operations RA2.

The examples of FIGS. 3A, 4 and 6A correspond to hardwareimplementations. In alternative embodiments, the method of performing aset of S-box access operations described herein could be implemented insoftware, as will now be described in more detail with reference toFIGS. 8 and 9.

FIG. 8 schematically illustrates a processing system 800 according to anexample embodiment of the present disclosure. The system 800 for examplecomprises a processing device (P) 802 coupled via a bus 804 to a memory806 storing a plurality of S-boxes (S-BOXES). The memory 806 is forexample a non-volatile memory (NVM). The system 800 also for examplecomprises, coupled to the bus 804, a volatile memory 808, which is forexample a RAM (random access memory), an input/output interface (I/OINTERFACE) 810, and a random number generator (RNG) 812. The processingdevice 802 for example comprises one or more processing cores orcircuitry under control of instructions stored in an instruction memory,for example the memory 806 and/or 808.

FIG. 9 is a flow diagram illustrating operations in a method ofperforming a set of S-box access operations according to an exampleembodiment of the present disclosure, and using the processing system ofFIG. 8. As described above, each set of S-box access operations maycorrespond to only the substitution operation itself, or to thesubstitution operation performed during an entire cryptographicalgorithm.

In an operation 901, the random value CTRL is generated, for examplebased on random values provided by the generator 812. These values arefor example stored in the RAM 808.

In an operation 902, the processing device 802 performs m sets of S-boxaccesses. Each set of S-box accesses for example involves loading Ninput values into the working memory of the processing device 802, whichfor example corresponds to the memory 808. One of these sets correspondsto a real set based on S-box accesses as defined by the cryptographicalgorithm being executed, without permutation. The remaining m−1 sets ofS-box accesses correspond to sets of dummy access operations, in which apermutation is applied by the processing device 802, based on the valueCTRL, such that during these S-box accesses, each of the N input valuesis not provided to its corresponding S-box, but to another S-box basedon a random selection. The real set of accesses is randomly positionedwith respect to the dummy sets of accesses based on the value CTRL. Eachset of S-box accesses is for example performed by addressing one or morenon-volatile memories, such as the memory 806, which for example storesa lookup table corresponding to each S-box. The result of each set ofS-box accesses is stored to memory, such as to the RAM 808.

While in the hardware implementation of FIG. 6B the S-box accesses ofeach set are for example performed in parallel in each of the S-boxes S1to S8, in the case of the software implementation of FIG. 8, the S-boxaccesses of each set may be performed in parallel if processingresources permit, or may be performed in series.

In operation 904, the results of the real set of S-box accesses areselected to be used in the cryptographic algorithm, based on the signalCTRL. For example, the processing device 802 selects in the RAM 808,based on the values of the random values RAC and NFC of the controlsignal CTRL, an address corresponding to the storage location of theresults of the real set of substitution operations.

FIG. 10 schematically illustrates a cryptographic device 1000 accordingto an example embodiment.

The device 1000 for example comprises a processing device (P) 1002corresponding to the host processor of the cryptographic device 1000.The processing device 1002 is for example in communication with acryptographic circuit 1004, which for example corresponds to the circuit300 of FIG. 3A, 4 or 6A, or to some or all of the components of theprocessing system 800 of FIG. 8. The cryptographic device 1000 also forexample comprises a memory (MEM) 1006 and an input/output interface(I/O) 1008 in communication with processing device 1002.

The device 1000 for example corresponds to an integrated circuit card(often known as a “smart card”), portable electronics device or othertype of electronics device in which a cryptographic function is to berealized. In some embodiments, the input/output interface 1008 maycorrespond to an NFC (near-field communication) interface.

An advantage of the embodiments described herein is that the discoveryof a secret key manipulated during sets of substitution operations of acryptographic algorithm using side channel methods may be renderedconsiderably more difficult. Indeed, by performing dummy sets of S-boxaccesses based on permutations of the S-boxes, this creates adissymmetry of the leakages during each real set of S-box accesses, andit becomes very difficult for a meaningful correlation to be determinedbetween side channel signals during the S-box accesses and the value ofthe secret key.

Furthermore, by using a same group of permutations for a given secretkey, this can lead to the generation of misleading information regardingthe key value on the side channels. Indeed, a given permutation repeatedseveral times for a same key can be mistaken for genuine S-box accessesperformed based on a different ghost key. With several differentpermutations, the number of different ghost keys that will appear tohave good correlations can be relatively high, and significantly higherthan in the case that a fake key and/or fake message is used.

An advantage of the hardware implementations of FIGS. 3A, 3B, 4, 6A and6B is that switching between dummy and real sets of S-box accesses canbe performed relatively rapidly, leading to a relatively small timeoverhead for the additional sets of S-box accesses.

Having thus described at least one illustrative embodiment, variousalterations, modifications and improvements will readily occur to thoseskilled in the art. For example, it will be apparent to those skilled inthe art that the circuit of FIG. 3B implementing the S-box permutationcircuit is merely one example, and that many alternative implementationswould be possible.

Furthermore, while embodiments have been described in which eachpermutation is applied at the level of a single substitution operation,or at the level of an entire cryptographic algorithm, the permutationcould also be applied at different levels. For example, each permutationcould be applied for an entire round of the DES encryption algorithm,and a series of fake rounds could be performed for each real round to beexecuted.

Furthermore, it will be apparent to those skilled in the art that thevarious features described in relation with the embodiments could becombined, in alternative embodiments, in any combination. For example,it would be possible to implement the S-box access method of the presentdisclosure using a combination of hardware and software.

Some embodiments may take the form of or comprise computer programproducts. For example, according to one embodiment there is provided acomputer readable medium comprising a computer program adapted toperform one or more of the methods or functions described above. Themedium may be a physical storage medium, such as for example a Read OnlyMemory (ROM) chip, or a disk such as a Digital Versatile Disk (DVD-ROM),Compact Disk (CD-ROM), a hard disk, a memory, a network, or a portablemedia article to be read by an appropriate drive or via an appropriateconnection, including as encoded in one or more barcodes or otherrelated codes stored on one or more such computer-readable mediums andbeing readable by an appropriate reader device.

Furthermore, in some embodiments, some or all of the methods and/orfunctionality may be implemented or provided in other manners, such asat least partially in firmware and/or hardware, including, but notlimited to, one or more application-specific integrated circuits(ASICs), digital signal processors, discrete circuitry, logic gates,standard integrated circuits, controllers (e.g., by executingappropriate instructions, and including microcontrollers and/or embeddedcontrollers), field-programmable gate arrays (FPGAs), complexprogrammable logic devices (CPLDs), etc., as well as devices that employRFID technology, and various combinations thereof.

The various embodiments described above can be combined to providefurther embodiments. Aspects of the embodiments can be modified, ifnecessary to employ concepts of the various patents, applications andpublications to provide yet further embodiments.

These and other changes can be made to the embodiments in light of theabove-detailed description. In general, in the following claims, theterms used should not be construed to limit the claims to the specificembodiments disclosed in the specification and the claims, but should beconstrued to include all possible embodiments along with the full scopeof equivalents to which such claims are entitled. Accordingly, theclaims are not limited by the disclosure.

The invention claimed is:
 1. A method, comprising: executing, using acryptographic circuit, a cryptographic process including a plurality ofsubstitution operations; and protecting the cryptographic circuit duringexecution of the cryptographic process, the executing and protectingincluding, performing, for each of the plurality of substitutionoperations of the cryptographic process, a series of m sets ofsubstitution operations of which: one set of the series corresponds tothe plurality of substitution operations of the cryptographic process,and is performed using a plurality of substitution tables; and m−1 setsof the series are dummy sets of substitution operations, each dummy setbeing performed using a different permutation of the plurality ofsubstitution tables, wherein, for a given key, a same group of m−1permutations are applied during the corresponding m−1 dummy substitutionoperations.
 2. The method of claim 1, wherein a position of the set ofsubstitution operations corresponding to the plurality of substitutionoperations of the cryptographic process in each of the series of sets ofsubstitution operations is selected randomly based on a first randomvalue.
 3. The method of claim 2, wherein performing each series of setsof substitution operations comprises: loading N input values, where N isan integer equal to or greater than two; and supplying, on consecutivesets of S-box access operations, each of said N input values to arespective one of N S-boxes, wherein during the set of substitutionoperations corresponding to the plurality of substitution operations ofthe cryptographic process, each of the N input values is supplied to acorresponding one of said N S-boxes based on said cryptographic process,and during the dummy sets of substitution operations each of the N inputvalues is supplied to a different S-box than its corresponding S-box,and wherein the position that the set of substitution operationscorresponding to the plurality of substitution operations of thecryptographic process is performed with respect to the dummy sets ofsubstitution operations is selected based on the first random value. 4.The method of claim 2, wherein each set of substitution operationscomprises addressing memory locations of one or more memories based onS-box input data values and reading values at said memory locations toprovide S-box output data values.
 5. The method of claim 4, comprising,for each series of sets of substitution operations, storing the S-boxoutput values of each substitution operation, and selecting the outputvalues corresponding to the set of substitution operations correspondingto the plurality of substitution operations of the cryptographic processbased on said first random value.
 6. The method of claim 1, whereinperforming each set of substitution operations in said series comprisesusing a same input message and secret key.
 7. The method of claim 6,wherein: m is an integer fixed at a value equal to or greater than 2 orselected randomly.
 8. The method of claim 7, wherein each group of m−1permutations for a given key is selected based on a second random value.9. The method of claim 1, wherein a number of dummy sets of substitutionoperations performed in each series is selected randomly.
 10. Anon-transitory computer-readable medium storing a computer programwhich, when executed by a processing device, implements a method, themethod comprising: executing, using a cryptographic circuit, acryptographic process including a plurality of substitution operations;and protecting the cryptographic circuit during execution of thecryptographic process, the executing and protecting including,performing, for each of the plurality of substitution operations of thecryptographic process, a series of m sets of substitution operations ofwhich: one set of the series corresponds to the plurality ofsubstitution operations of the cryptographic process, and is performedusing a plurality of substitution tables; and m−1 sets of the series aredummy sets of substitution operations, each dummy set being performedusing a different permutation of the plurality of substitution tables,wherein, for a given key, a same group of m−1 permutations are appliedduring the corresponding m−1 dummy substitution operations.
 11. Thenon-transitory computer readable medium of claim 10 wherein a positionof the set of substitution operations corresponding to the plurality ofsubstitution operations of the cryptographic process in each of theseries of sets of substitution operations is selected randomly based ona first random value.
 12. The non-transitory computer readable medium ofclaim 11 wherein performing each series of sets of substitutionoperations comprises: loading N input values, where N is an integerequal to or greater than two; and supplying, on consecutive sets ofS-box access operations, each of said N input values to a respective oneof N S-boxes, wherein during the set of substitution operationscorresponding to the plurality of substitution operations of thecryptographic process, each of the N input values is supplied to acorresponding one of said N S-boxes based on said cryptographic process,and during the dummy sets of substitution operations each of the N inputvalues is supplied to a different S-box than its corresponding S-box,and wherein the position that the set of substitution operationscorresponding to the plurality of substitution operations of thecryptographic process is performed with respect to the dummy sets ofsubstitution operations is selected based on the first random value. 13.The non-transitory computer readable medium of claim 10 wherein: m is aninteger fixed at a value equal to or greater than 2 or selectedrandomly.
 14. The non-transitory computer readable medium of claim 13,wherein each group of m−1 permutations for a given key is selected basedon a second random value.
 15. The non-transitory computer readablemedium of claim 10 wherein a number of dummy sets of substitutionoperations performed in each series is selected randomly.
 16. Acryptographic device, comprising: a memory circuit, which, in operation,stores a plurality of substitution tables to implement a plurality ofsubstitution operations of a cryptographic process; and cryptographiccircuitry coupled to the memory circuit, wherein the cryptographiccircuitry, in operation, executes the cryptographic process; andprotects the cryptographic circuitry during execution of thecryptographic process, the executing and protecting including, for eachof the plurality of substitution operations of the cryptographicprocess, performing a series of m sets of substitution operations usingsaid substitution tables, each series of m sets of substitutionoperations comprising: a set of substitution operations corresponding tothe plurality of substitution operations of the cryptographic process;and m−1 dummy sets of substitution operations, wherein a differentpermutation of said substitution tables is applied during each of saiddummy sets of substitution operations, and, for a given key, a samegroup of m−1 permutations are applied during the corresponding m−1 dummysubstitution operations.
 17. The cryptographic device of claim 16,comprising a random number generator, which, in operation, generates,for each of said series of sets of substitution operations, a firstrandom value, wherein the cryptographic circuitry randomly selects aposition of the set of substitution operations corresponding to theplurality of substitution operations of the cryptographic process amongthe m−1 dummy sets of substitution operations based on the first randomvalue.
 18. The cryptographic device of claim 17, wherein the randomnumber generator, in operation, generates a second random value, whereinthe cryptographic circuitry randomly selects the permutations of saidsubstitution tables based on the second random value.
 19. Thecryptographic device of claim 18, comprising: an input registerconfigured to store N input values; and one or more multiplexersconfigured to select, for each set of substitution operations of eachseries, the input value among said N input values to be provided to eachsubstitution table.
 20. The cryptographic device of claim 19, comprisinga selection circuit configured to generate a selection signal forcontrolling the one or multiplexers based on said first and secondrandom values.
 21. The cryptographic device of claim 16, wherein thecryptographic circuitry comprises one or more processing devices undercontrol of instructions stored in an instruction memory to load N inputvalues into a memory, where N is equal to the number of substitutiontables, and to select, for each set of substitution operations of eachseries, either to implement the set of substitution operationscorresponding to the plurality of substitution operations of thecryptographic process by providing each input value to a correspondingone of said substitution tables based on said cryptographic process, orto implement a dummy set of substitution operations by providing eachinput value to one of said substitution tables other than thecorresponding one.
 22. A system, comprising: one or more processingcores; and cryptographic circuitry coupled to the one or more processingcores, wherein the cryptographic circuitry, in operation, executes acryptographic process and protects the cryptographic circuitry duringexecution of the cryptographic process, the executing and protectingincluding: performing, for each set of substitution operations of thecryptographic process, a series of sets of substitution operations ofwhich: one set of the series is a real set of substitution operationscorresponding to the set of substitution operations of the cryptographicprocess, and is performed using a plurality of substitution tables; andm−1 other sets of the series are dummy sets of substitution operations,each dummy set being performed using a different permutation of theplurality of substitution tables, wherein for a given key, a same groupof m−1 permutations are applied during the corresponding m−1 dummysubstitution operations.
 23. The system of claim 22, wherein a positionof the real set of substitution operations in each series is selectedrandomly based on a first random value.
 24. The system of claim 22,wherein the cryptographic process is related to a function of the one ormore processing cores.